An update for kernel is now available for openEuler-20.03-LTS-SP1 Security Advisory openeuler-security@openeuler.org openEuler security committee openEuler-SA-2021-1087 Final 1.0 1.0 2021-03-05 Initial 2021-03-05 2021-03-05 openEuler SA Tool V1.0 2021-03-05 kernel security update An update for kernel is now available for openEuler-20.03-LTS-SP1. The Linux Kernel, the operating system core itself. Security Fix(es): In drivers/target/target_core_xcopy.c in the Linux kernel before 5.10.7, insufficient identifier checking in the LIO SCSI target code can be used by remote attackers to read or write files via directory traversal in an XCOPY request, aka CID-2896c93811e3. For example, an attack can occur over a network if the attacker has access to one iSCSI LUN. The attacker gains control over file access because I/O operations are proxied via an attacker-selected backstore.(CVE-2020-28374) An issue was discovered in Xen through 4.14.x. Some OSes (such as Linux, FreeBSD, and NetBSD) are processing watch events using a single thread. If the events are received faster than the thread is able to handle, they will get queued. As the queue is unbounded, a guest may be able to trigger an OOM in the backend. All systems with a FreeBSD, Linux, or NetBSD (any version) dom0 are vulnerable.(CVE-2020-29568) In the nl80211_policy policy of nl80211.c, there is a possible out of bounds read due to a missing bounds check. This could lead to local information disclosure with System execution privileges needed. User interaction is not required for exploitation.Product: AndroidVersions: Android kernelAndroid ID: A-119770583(CVE-2020-27068) A flaw was found in the Linux kernels implementation of MIDI, where an attacker with a local account and the permissions to issue an ioctl commands to midi devices, could trigger a use-after-free. A write to this specific memory while freed and before use could cause the flow of execution to change and possibly allow for memory corruption or privilege escalation.(CVE-2020-27786) An issue was discovered in the Linux kernel through 5.10.11. PI futexes have a kernel stack use-after-free during fault handling, allowing local users to execute code in the kernel, aka CID-34b1a1ce1458.(CVE-2021-3347) nbd_add_socket in drivers/block/nbd.c in the Linux kernel through 5.10.12 has an ndb_queue_rq use-after-free that could be triggered by local attackers (with access to the nbd device) via an I/O request at a certain point during device setup, aka CID-b98e762e3d71.(CVE-2021-3348) In binder_release_work of binder.c, there is a possible use-after-free due to improper locking. This could lead to local escalation of privilege in the kernel with no additional execution privileges needed. User interaction is not needed for exploitation.(CVE-2020-0423) mwifiex_cmd_802_11_ad_hoc_start in drivers/net/wireless/marvell/mwifiex/join.c in the Linux kernel through 5.10.4 might allow remote attackers to execute arbitrary code via a long SSID value, aka CID-5c455c5ab332.(CVE-2020-36158) Insufficient access control in the Linux kernel driver for some Intel(R) Processors may allow an authenticated user to potentially enable information disclosure via local access.(CVE-2020-8694) IBM Power9 (AIX 7.1, 7.2, and VIOS 3.1) processors could allow a local user to obtain sensitive information from the data in the L1 cache under extenuating circumstances. (CVE-2020-4788) An issue was discovered in the Linux kernel through 5.2.13. nbd_genl_status in drivers/block/nbd.c does not check the nla_nest_start_noflag return value.(CVE-2019-16089) In various methods of hid-multitouch.c, there is a possible out of bounds write due to a missing bounds check. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.(CVE-2020-0465) In do_epoll_ctl and ep_loop_check_proc of eventpoll.c, there is a possible use after free due to a logic error. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.(CVE-2020-0466) A flaw was found in the Linux kernel's implementation of string matching within a packet. A privileged user (with root or CAP_NET_ADMIN) when inserting iptables rules could insert a rule which can panic the system.(CVE-2021-20177) fs/nfsd/nfs3xdr.c in the Linux kernel through 5.10.8, when there is an NFS export of a subdirectory of a filesystem, allows remote attackers to traverse to other parts of the filesystem via READDIRPLUS. NOTE: some parties argue that such a subdirectory export is not intended to prevent this attack; see also the exports(5) no_subtree_check default behavior.(CVE-2021-3178) An update for kernel is now available for openEuler-20.03-LTS-SP1. openEuler Security has rated this update as having a security impact of high. A Common Vunlnerability Scoring System(CVSS)base score,which gives a detailed severity rating, is available for each vulnerability from the CVElink(s) in the References section. High kernel https://openeuler.org/en/security/safety-bulletin/detail.html?id=openEuler-SA-2021-1087 https://openeuler.org/en/security/cve/detail.html?id=CVE-2020-28374 https://openeuler.org/en/security/cve/detail.html?id=CVE-2020-29568 https://openeuler.org/en/security/cve/detail.html?id=CVE-2020-27068 https://openeuler.org/en/security/cve/detail.html?id=CVE-2020-27786 https://openeuler.org/en/security/cve/detail.html?id=CVE-2021-3347 https://openeuler.org/en/security/cve/detail.html?id=CVE-2021-3348 https://openeuler.org/en/security/cve/detail.html?id=CVE-2020-0423 https://openeuler.org/en/security/cve/detail.html?id=CVE-2020-36158 https://openeuler.org/en/security/cve/detail.html?id=CVE-2020-8694 https://openeuler.org/en/security/cve/detail.html?id=CVE-2020-4788 https://openeuler.org/en/security/cve/detail.html?id=CVE-2019-16089 https://openeuler.org/en/security/cve/detail.html?id=CVE-2020-0465 https://openeuler.org/en/security/cve/detail.html?id=CVE-2020-0466 https://openeuler.org/en/security/cve/detail.html?id=CVE-2021-20177 https://openeuler.org/en/security/cve/detail.html?id=CVE-2021-3178 https://nvd.nist.gov/vuln/detail/CVE-2020-28374 https://nvd.nist.gov/vuln/detail/CVE-2020-29568 https://nvd.nist.gov/vuln/detail/CVE-2020-27068 https://nvd.nist.gov/vuln/detail/CVE-2020-27786 https://nvd.nist.gov/vuln/detail/CVE-2021-3347 https://nvd.nist.gov/vuln/detail/CVE-2021-3348 https://nvd.nist.gov/vuln/detail/CVE-2020-0423 https://nvd.nist.gov/vuln/detail/CVE-2020-36158 https://nvd.nist.gov/vuln/detail/CVE-2020-8694 https://nvd.nist.gov/vuln/detail/CVE-2021-3347 https://nvd.nist.gov/vuln/detail/CVE-2019-16089 https://nvd.nist.gov/vuln/detail/CVE-2020-0465 https://nvd.nist.gov/vuln/detail/CVE-2020-0466 https://nvd.nist.gov/vuln/detail/CVE-2021-20177 https://nvd.nist.gov/vuln/detail/CVE-2021-3178 openEuler-20.03-LTS-SP1 bpftool-4.19.90-2102.2.0.0057.oe1.aarch64.rpm kernel-debugsource-4.19.90-2102.2.0.0057.oe1.aarch64.rpm kernel-tools-4.19.90-2102.2.0.0057.oe1.aarch64.rpm kernel-debuginfo-4.19.90-2102.2.0.0057.oe1.aarch64.rpm perf-debuginfo-4.19.90-2102.2.0.0057.oe1.aarch64.rpm python3-perf-debuginfo-4.19.90-2102.2.0.0057.oe1.aarch64.rpm kernel-4.19.90-2102.2.0.0057.oe1.aarch64.rpm python2-perf-4.19.90-2102.2.0.0057.oe1.aarch64.rpm python3-perf-4.19.90-2102.2.0.0057.oe1.aarch64.rpm bpftool-debuginfo-4.19.90-2102.2.0.0057.oe1.aarch64.rpm kernel-tools-devel-4.19.90-2102.2.0.0057.oe1.aarch64.rpm kernel-devel-4.19.90-2102.2.0.0057.oe1.aarch64.rpm kernel-tools-debuginfo-4.19.90-2102.2.0.0057.oe1.aarch64.rpm python2-perf-debuginfo-4.19.90-2102.2.0.0057.oe1.aarch64.rpm kernel-source-4.19.90-2102.2.0.0057.oe1.aarch64.rpm perf-4.19.90-2102.2.0.0057.oe1.aarch64.rpm kernel-4.19.90-2102.2.0.0057.oe1.src.rpm python2-perf-4.19.90-2102.2.0.0057.oe1.x86_64.rpm kernel-tools-devel-4.19.90-2102.2.0.0057.oe1.x86_64.rpm perf-4.19.90-2102.2.0.0057.oe1.x86_64.rpm kernel-debugsource-4.19.90-2102.2.0.0057.oe1.x86_64.rpm kernel-tools-4.19.90-2102.2.0.0057.oe1.x86_64.rpm kernel-devel-4.19.90-2102.2.0.0057.oe1.x86_64.rpm perf-debuginfo-4.19.90-2102.2.0.0057.oe1.x86_64.rpm kernel-debuginfo-4.19.90-2102.2.0.0057.oe1.x86_64.rpm bpftool-4.19.90-2102.2.0.0057.oe1.x86_64.rpm kernel-source-4.19.90-2102.2.0.0057.oe1.x86_64.rpm python3-perf-debuginfo-4.19.90-2102.2.0.0057.oe1.x86_64.rpm python2-perf-debuginfo-4.19.90-2102.2.0.0057.oe1.x86_64.rpm kernel-4.19.90-2102.2.0.0057.oe1.x86_64.rpm kernel-tools-debuginfo-4.19.90-2102.2.0.0057.oe1.x86_64.rpm bpftool-debuginfo-4.19.90-2102.2.0.0057.oe1.x86_64.rpm python3-perf-4.19.90-2102.2.0.0057.oe1.x86_64.rpm In drivers/target/target_core_xcopy.c in the Linux kernel before 5.10.7, insufficient identifier checking in the LIO SCSI target code can be used by remote attackers to read or write files via directory traversal in an XCOPY request, aka CID-2896c93811e3. For example, an attack can occur over a network if the attacker has access to one iSCSI LUN. The attacker gains control over file access because I/O operations are proxied via an attacker-selected backstore. 2021-03-05 CVE-2020-28374 openEuler-20.03-LTS-SP1 High 8.1 AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N kernel security update 2021-03-05 https://openeuler.org/en/security/safety-bulletin/detail.html?id=openEuler-SA-2021-1087 An issue was discovered in Xen through 4.14.x. Some OSes (such as Linux, FreeBSD, and NetBSD) are processing watch events using a single thread. If the events are received faster than the thread is able to handle, they will get queued. As the queue is unbounded, a guest may be able to trigger an OOM in the backend. All systems with a FreeBSD, Linux, or NetBSD (any version) dom0 are vulnerable. 2021-03-05 CVE-2020-29568 openEuler-20.03-LTS-SP1 Medium 6.5 AV:L/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H kernel security update 2021-03-05 https://openeuler.org/en/security/safety-bulletin/detail.html?id=openEuler-SA-2021-1087 In the nl80211_policy policy of nl80211.c, there is a possible out of bounds read due to a missing bounds check. This could lead to local information disclosure with System execution privileges needed. User interaction is not required for exploitation.Product: AndroidVersions: Android kernelAndroid ID: A-119770583 2021-03-05 CVE-2020-27068 openEuler-20.03-LTS-SP1 Medium 4.4 AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N kernel security update 2021-03-05 https://openeuler.org/en/security/safety-bulletin/detail.html?id=openEuler-SA-2021-1087 A flaw was found in the Linux kernels implementation of MIDI, where an attacker with a local account and the permissions to issue an ioctl commands to midi devices, could trigger a use-after-free. A write to this specific memory while freed and before use could cause the flow of execution to change and possibly allow for memory corruption or privilege escalation. 2021-03-05 CVE-2020-27786 openEuler-20.03-LTS-SP1 High 7.8 AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H kernel security update 2021-03-05 https://openeuler.org/en/security/safety-bulletin/detail.html?id=openEuler-SA-2021-1087 An issue was discovered in the Linux kernel through 5.10.11. PI futexes have a kernel stack use-after-free during fault handling, allowing local users to execute code in the kernel, aka CID-34b1a1ce1458. 2021-03-05 CVE-2021-3347 openEuler-20.03-LTS-SP1 High 7.8 AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H kernel security update 2021-03-05 https://openeuler.org/en/security/safety-bulletin/detail.html?id=openEuler-SA-2021-1087 nbd_add_socket in drivers/block/nbd.c in the Linux kernel through 5.10.12 has an ndb_queue_rq use-after-free that could be triggered by local attackers (with access to the nbd device) via an I/O request at a certain point during device setup, aka CID-b98e762e3d71. 2021-03-05 CVE-2021-3348 openEuler-20.03-LTS-SP1 Medium 5.5 AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N kernel security update 2021-03-05 https://openeuler.org/en/security/safety-bulletin/detail.html?id=openEuler-SA-2021-1087 In binder_release_work of binder.c, there is a possible use-after-free due to improper locking. This could lead to local escalation of privilege in the kernel with no additional execution privileges needed. User interaction is not needed for exploitation. 2021-03-05 CVE-2020-0423 openEuler-20.03-LTS-SP1 High 7.8 AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H kernel security update 2021-03-05 https://openeuler.org/en/security/safety-bulletin/detail.html?id=openEuler-SA-2021-1087 mwifiex_cmd_802_11_ad_hoc_start in drivers/net/wireless/marvell/mwifiex/join.c in the Linux kernel through 5.10.4 might allow remote attackers to execute arbitrary code via a long SSID value, aka CID-5c455c5ab332. 2021-03-05 CVE-2020-36158 openEuler-20.03-LTS-SP1 Medium 6.7 AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H kernel security update 2021-03-05 https://openeuler.org/en/security/safety-bulletin/detail.html?id=openEuler-SA-2021-1087 Insufficient access control in the Linux kernel driver for some Intel(R) Processors may allow an authenticated user to potentially enable information disclosure via local access. 2021-03-05 CVE-2020-8694 openEuler-20.03-LTS-SP1 Medium 5.5 AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N kernel security update 2021-03-05 https://openeuler.org/en/security/safety-bulletin/detail.html?id=openEuler-SA-2021-1087 IBM Power9 (AIX 7.1, 7.2, and VIOS 3.1) processors could allow a local user to obtain sensitive information from the data in the L1 cache under extenuating circumstances. 2021-03-05 CVE-2020-4788 openEuler-20.03-LTS-SP1 Medium 4.7 AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N kernel security update 2021-03-05 https://openeuler.org/en/security/safety-bulletin/detail.html?id=openEuler-SA-2021-1087 An issue was discovered in the Linux kernel through 5.2.13. nbd_genl_status in drivers/block/nbd.c does not check the nla_nest_start_noflag return value. 2021-03-05 CVE-2019-16089 openEuler-20.03-LTS-SP1 Medium 4.1 AV:L/AC:H/PR:H/UI:N/S:U/C:N/I:N/A:H kernel security update 2021-03-05 https://openeuler.org/en/security/safety-bulletin/detail.html?id=openEuler-SA-2021-1087 In various methods of hid-multitouch.c, there is a possible out of bounds write due to a missing bounds check. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation. 2021-03-05 CVE-2020-0465 openEuler-20.03-LTS-SP1 High 7.8 AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H kernel security update 2021-03-05 https://openeuler.org/en/security/safety-bulletin/detail.html?id=openEuler-SA-2021-1087 In do_epoll_ctl and ep_loop_check_proc of eventpoll.c, there is a possible use after free due to a logic error. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation. 2021-03-05 CVE-2020-0466 openEuler-20.03-LTS-SP1 High 7.8 AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H kernel security update 2021-03-05 https://openeuler.org/en/security/safety-bulletin/detail.html?id=openEuler-SA-2021-1087 A flaw was found in the Linux kernel's implementation of string matching within a packet. A privileged user (with root or CAP_NET_ADMIN) when inserting iptables rules could insert a rule which can panic the system. 2021-03-05 CVE-2021-20177 openEuler-20.03-LTS-SP1 Medium 4.4 AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H kernel security update 2021-03-05 https://openeuler.org/en/security/safety-bulletin/detail.html?id=openEuler-SA-2021-1087 ** DISPUTED ** fs/nfsd/nfs3xdr.c in the Linux kernel through 5.10.8, when there is an NFS export of a subdirectory of a filesystem, allows remote attackers to traverse to other parts of the filesystem via READDIRPLUS. NOTE: some parties argue that such a subdirectory export is not intended to prevent this attack; see also the exports(5) no_subtree_check default behavior. 2021-03-05 CVE-2021-3178 openEuler-20.03-LTS-SP1 Medium 6.5 AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N kernel security update 2021-03-05 https://openeuler.org/en/security/safety-bulletin/detail.html?id=openEuler-SA-2021-1087